Skip to content

Ruleset prefix list isolation support#2290

Open
aweingarten wants to merge 6 commits intolinode:devfrom
aweingarten:ruleset_prefix_list_isolation_support
Open

Ruleset prefix list isolation support#2290
aweingarten wants to merge 6 commits intolinode:devfrom
aweingarten:ruleset_prefix_list_isolation_support

Conversation

@aweingarten
Copy link
Copy Markdown

@aweingarten aweingarten commented Mar 4, 2026
edited
Loading

📝 Description

What does this PR do and why is this change necessary?

Adds LKE Enterprise provisioning support across three areas: firewall rulesets/prefix lists, node pool isolation & disk encryption, and zero-pool cluster creation.

Dependencies

The following linodego additions are required in PR

Type Addition Used by
Struct LKEClusterRuleSetIDs (Inbound/Outbound int) discoverClusterRulesets() in linode_lke_cluster
Field LKECluster.RuleSetIDs Deserialization (API does not yet populate)
Struct LKENodePoolIsolation (PublicIPv4/PublicIPv6 bool) isolation block on linode_lke_cluster + linode_lke_node_pool
Field LKENodePoolCreateOptions.DiskEncryption disk_encryption on pool create
Field LKENodePoolCreateOptions.Isolation isolation on pool create
Field LKENodePoolUpdateOptions.Isolation isolation on pool update
Method Client.ListFirewallRuleSets() Discovering LKE-E rulesets by label in discoverClusterRulesets()

Firewall Ruleset References

New inbound_ruleset / outbound_ruleset attributes on linode_firewall accept a list of ruleset IDs. These are prepended before inline rules in the API payload and separated back out on read. This lets users wire LKE-E service-managed rulesets (control-plane, registry, DNS, etc.) directly into a firewall resource.

Prefix List Support

Changed ipv4/ipv6 rule address types from cidrtypes.IPv4PrefixType/IPv6PrefixType to types.StringType so that prefix list tokens (e.g. pl::subnets:123, pl:system:ps:managed:container:registry) are accepted alongside CIDRs.

LKE-E Cluster ruleset_ids

New computed ruleset_ids block on linode_lke_cluster exposes inbound and outbound firewall ruleset IDs. Discovered via ListFirewallRuleSets matching the lke{id}-inbound/lke{id}-outbound label convention, since the cluster API does not return these natively.

Node Pool Isolation

New isolation block on both linode_lke_cluster (SDKv2 pools) and linode_lke_node_pool (framework resource) with public_ipv4 / public_ipv6 booleans.

Node Pool Disk Encryption

disk_encryption changed from computed-only to optional+computed with validation (enabled/disabled). ForceNew on the framework resource.

Zero-Pool Enterprise Clusters

linode_lke_cluster now supports creating enterprise-tier clusters with zero inline node pools. The node-ready wait is skipped and customDiffValidateOptionalCount guards against nil pool lists.

Files Changed

File Change
linode/lke/resource.go discoverClusterRulesets() helper, zero-pool wait logic, isolation/disk_encryption on pool create
linode/lke/schema_resource.go ruleset_ids computed block, isolation block, disk_encryption optional+validated
linode/lke/cluster.go NodePoolSpec gets DiskEncryption/Isolation, reconcile/expand/flatten updated
linode/lkenodepool/framework_models.go NodePoolIsolationModel, flatten/create/update/copy for isolation + disk_encryption
linode/lkenodepool/framework_resource_schema.go isolation block, disk_encryption optional with RequiresReplace
linode/firewall/framework_schema_resource.go inbound_ruleset/outbound_ruleset attributes, ipv4/ipv6 → types.StringType
linode/firewall/framework_schema_datasource.go ipv4/ipv6 → types.StringType
linode/firewall/framework_models.go separateRulesetRefs(), ruleset expand/flatten, InboundRuleSet/OutboundRuleSet fields
linode/firewall/firewall_helpers_unit_test.go 5 new tests for separateRulesetRefs, ExpandFirewallRuleSet, FlattenFirewallRules

✔️ How to Test

What are the steps to reproduce the issue or verify the changes?

  1. Create an LKE-E cluster with tier = "enterprise" and zero inline pools
  2. Reference linode_lke_cluster.main.ruleset_ids[0].inbound / .outbound in a linode_firewall resource's inbound_ruleset / outbound_ruleset
  3. Add outbound rules using prefix list tokens (e.g. ipv4 = ["pl::subnets:123"])
  4. Create a linode_lke_node_pool with disk_encryption = "enabled" and isolation { public_ipv4 = false; public_ipv6 = true }
  5. Verify tofu apply completes and tofu plan shows no drift

How do I run the relevant unit tests?

# Firewall helpers (separateRulesetRefs, ExpandFirewallRuleSet, FlattenFirewallRules)
go test ./linode/firewall/ -run 'TestSeparateRulesetRefs|TestExpandFirewallRuleSet|TestFlattenFirewallRules_PrefixList' -v

# linodego LKE cluster tests
cd ../linodego && go test ./test/unit/ -run 'TestLKECluster_Create_Enterprise|TestLKECluster_Get_NoRuleSetIDs' -v

@aweingarten aweingarten requested a review from a team as a code owner March 4, 2026 14:12
@aweingarten aweingarten requested review from mawilk90 and psnoch-akamai and removed request for a team March 4, 2026 14:12
@aweingarten aweingarten force-pushed the ruleset_prefix_list_isolation_support branch 6 times, most recently from 6878459 to ddba969 Compare March 10, 2026 18:07
@aweingarten aweingarten force-pushed the ruleset_prefix_list_isolation_support branch from ddba969 to 3a48f0f Compare March 10, 2026 18:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@psnoch-akamai psnoch-akamai Awaiting requested review from psnoch-akamai psnoch-akamai is a code owner automatically assigned from linode/dx

@mawilk90 mawilk90 Awaiting requested review from mawilk90 mawilk90 is a code owner automatically assigned from linode/dx

@lgarber-akamai lgarber-akamai Awaiting requested review from lgarber-akamai

@zliang-akamai zliang-akamai Awaiting requested review from zliang-akamai

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aweingarten